Remarks by Assistant Secretary Strickling at American European Community Association (AECA) Conference

Remarks by Lawrence E. Strickling
Assistant Secretary of Commerce for Communications and Information
“Data Protection: The Challenges and Opportunities for Individuals and Businesses”
American European Community Association (AECA) Conference
Brussels, Belgium
December 3, 2013

-As prepared for delivery-

Thank you for providing me this opportunity to speak about a very timely and important topic. As the Administrator of the National Telecommunications and Information Administration, I serve as the President’s principal advisor on telecommunications and information policy issues. The Obama Administration is committed to preserving the dynamism and openness of the Internet, enhancing the free flow of information, and strengthening our Internet economy.

As President Obama noted in the International Strategy for Cyberspace, “preserving trust in the Internet economy protects and enhances substantial economic activity.” President Obama also noted that “…[W]ith the revelations that have depleted public trust . . . if there are some additional things that we can do to build that trust back up, then we should do them.’’ Obviously trust is a big topic of discussion here and in the U.S. due to the disclosures.

To that end, the President has directed a detailed review of the nation’s surveillance capabilities. This process is taking place both within and independent of the Administration. Externally, an independent Review Group on Intelligence and Communications Technology is considering how to strike the appropriate balance between capabilities and intelligence collection, fully informed by our strong commitment to privacy principles. It plans to issue recommendations to the President later this year. The Privacy and Civil Liberties Oversight Board, another body tasked with independent oversight of counterterrorism policies, is undertaking a review of those specific activities. Finally, within the Administration, we are working actively to address concerns raised by those disclosures. Because these reviews are still underway, I am not able to address the privacy issues raised by the intelligence programs during this session.

While these intelligence-focused reviews are underway, it is imperative we recognize the broader context of these issues, and not let the questions about the disclosures damage our positive trans-Atlantic engagement on privacy. Nor should we allow the concerns to lead to cutting off data flows between the U.S. and the EU. Transborder trade – and especially transatlantic trade – now relies on the continued open flow of data, and cutting off these flows would cause significant and immediate economic damage on both sides of the Atlantic.

Last Wednesday, the European Commission issued a report assessing Safe Harbor. The U.S.-EU Safe Harbor Framework has enabled transatlantic trade, data flows, and the protection of EU citizens’ privacy for over a decade, and it is vital that it continue to do so going forward. We agree with the Commission’s assessment that Safe Harbor has proved increasingly important to our trans-Atlantic commercial relationship. We are pleased that the Commission recognized that transfers of personal data are a necessary element of our trans-Atlantic relationship. We are also pleased that the Commission recognized that our continued engagement on consumer privacy must be addressed in its proper context, without affecting other aspects of EU-U.S. relations. To enhance our commercial relationship, and benefit the digital economy, the Commission made a series of recommendations that, in their view, will restore trust in trans-Atlantic data flows. These recommendations focus on improving transparency, redress, and enforcement. We are currently studying these recommendations.

Department of Commerce Secretary Penny Pritzker welcomed the Commission’s latest report. The Department is optimistic that our ongoing dialogue with the Commission will lead to positive outcomes.

Our continued positive engagement with the European Commission benefits both the U.S. and the EU — it is critical to both of our economies. EU clients, EU subsidiaries, EU parent companies and EU partners rely on the ability of their U.S. counterparts or U.S. offices to certify to Safe Harbor. One Safe Harbor company recently informed us that thousands of their customer contracts include Safe Harbor commitments. Safe Harbor is not just for U.S. companies. Quite a number of Safe Harbor companies are actually U.S. subsidiaries or offices of European firms. Safe Harbor is not just for big U.S. companies. More than half of its certified companies are SMEs. Safe Harbor is not just for ICT companies. In fact, participants to Safe Harbor are coming from the agribusiness, pharmaceuticals, engineering, manufacturing and many other sectors.

For over a decade, Safe Harbor has been ensuring that the privacy rights of EU citizens are protected. My colleague Commissioner Julie Brill at the U.S. Federal Trade Commission, which enforces Safe Harbor, emphasized the privacy benefits Safe Harbor provides best. During a September 17 privacy conference in Brussels, she said that without the Safe Harbor, her job to protect EU consumers’ privacy would be much harder.

As you all know, both the U.S. and the EU are engaged in ongoing efforts to modernize and strengthen our privacy frameworks. As the global economy increasingly relies on data, we must both identify more effective and technology-neutral ways to protect data and more efficient ways to legally transfer data. We also must ensure that markets have confidence in these regimes, that they do not create unnecessary uncertainty for our companies or consumers.

This is not just a transatlantic challenge. It is a global challenge, in which we must accommodate vastly different legal systems if data is ever to be protected on a global scale. It is also one in which the U.S. and Europe share common principles and an historically interoperable approach, which has made our trade relationship the envy of the world. And we are committed to both preserving that history, while ensuring its protections keep up with the times.

Let me review where we are in the U.S. on improving consumer data privacy. In 2012, President Obama issued the consumer privacy Blueprint, which has four key elements. The first is to enact baseline privacy legislation. The Obama Administration continues to develop the baseline consumer privacy legislation called for in the Blueprint. The Department of Commerce is working on a draft of privacy legislation that closely follows the Consumer Privacy Bill of Rights set out in the Blueprint. We are actively engaging with leaders in the House and Senate committed to protecting consumer privacy and trust, including the new bipartisan task force on privacy, about how to move privacy legislation forward.

The second element of the Blueprint is the development of enforceable codes of conduct. Efforts in the U.S. and EU as well as other regions toward the development and recognition of enforceable codes of conduct are an important step in this direction. This is the idea behind the EU’s binding corporate rules, just as it is the idea behind the APEC cross border privacy rules and the Safe Harbor Framework. The EU’s proposed data protection regulation recognizes the benefits of enforceable codes of conduct, and we hope the EU will continue to build on this recognition.

In the blueprint, the Obama Administration noted that the attributes of speed, flexibility and decentralized problem-solving in well-structured multistakeholder consultations offer certain advantages over traditional government regulation when it comes to establishing globally applicable codes of conducts that promote innovation and protect consumers.

The Administration supports multistakeholder processes that bring together technical experts, companies, advocates, civil and criminal law enforcement representatives responsible for enforcing consumer privacy laws, and academics to find creative solutions to problems. Flexibility in the deliberative process is critical to allowing stakeholders to explore the technical and policy dimensions—which are often intertwined—of Internet policy issues. These types of processes will allow the United States to confront a broad, complex, and global set of consumer data privacy issues for years to come.

Last July, in a process convened by my agency [NTIA], stakeholders completed a code of conduct that will improve privacy disclosures on mobile devices. These enhanced short-form disclosures will communicate key information to consumers clearly and concisely.

My staff and I learned a lot during the process. Most important, we learned that we could not predict what outcomes would satisfy the range of civil society, business, and academic stakeholders. For example, one might think that the group would have prescribed a single set of privacy icons for mobile apps. We were surprised to discover that stakeholders widely agreed that the code should not include standardized icons. Many stakeholders in the group said that privacy icons required usability testing. Although stakeholder opinions diverged on a range of topics, the group reached consensus on core issues, and agreed to move forward with testing and implementation of the code. Early test results have been positive and we look forward to seeing how companies roll out new, innovative disclosures in the coming months.

We have demonstrated that a multistakeholder process to develop codes of conduct can work. As a result, I’m pleased to announce that we will convene the next multistakeholder process early next year. This new privacy multistakeholder process will focus on an issue that is increasingly central to our online lives, and with vast implications for the future of digital security: the commercial use of facial recognition technology. We welcome European participation in this process.

The third element of the Blueprint is strong enforcement by the Federal Trade Commission. Enforcement is critical to protecting consumers both in the U.S. and abroad. The FTC has unparalleled experience in consumer privacy enforcement. Its enforcement actions have addressed practices in offline and online environments. They have brought enforcement actions against well-known companies, such as Google, Facebook, Twitter, Microsoft, and Myspace, as well as lesser-known companies. The FTC has sued businesses that installed spyware on computers, deceptively tracked consumers online, unlawfully collected information on consumers’ mobile devices. The resulting orders have typically provided for ongoing monitoring by the FTC, prohibited further law violations, and subjected the businesses to substantial financial penalties for order violations.

Moreover, FTC orders do not just cover individuals who may have complained about a problem; rather, they protect all consumers dealing with the business. In the cross-border context, the FTC has jurisdiction to protect consumers worldwide from practices taking place in the United States. As Commissioner Brill recently noted, the FTC’s cases against Google, Facebook and Myspace addressed the companies’ failure to comply with Safe Harbor. These cases have led to orders that, for the next 20 years, govern the data collection and use activities of these companies. These orders protect one billion consumers worldwide.

The fourth element of the Blueprint is interoperability with other privacy regimes around the world. Notwithstanding the news headlines, I hope that the U.S. and Europe will continue to work together to ensure that our privacy frameworks are interoperable and that trans-Atlantic data flows are preserved, leading to economic growth on both sides of the Atlantic.